Posted In: Health Care & Cybersecurity & Data Privacy
Technology & Health Care
By Craig S. Horbus & Nicole M. Thorn on April 16, 2020
The California Consumer Privacy Act (CCPA) has been in effect since January of this year. In our previous blog posts (see Compliance Checkup: Your 2020 Compliance Checklist – December 10, 2019 and Data Privacy Alert: Businesses Will Likely Bear the Brunt of US Federal Privacy Law – March 26, 2019), we have covered the CCPA and which businesses are subject to this data privacy law, still the most stringent of all state laws regarding personally identifiable information (PII). The CCPA exempts some protected health information (PHI) from its requirements. Although there is no blanket exemption for health care providers, most of these providers are familiar with similar data privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA). There is no private right of action for an individual under HIPAA for data breaches. The CCPA on the other hand, does provide such an action, which is why the state law is one of the more powerful privacy laws.
In a case of first impression, a Pennsylvania resident has filed a class action lawsuit against a California health care provider for CCPA violations involving PHI1. If this sounds like the intersection of two very complicated laws, you have read this correctly. The complaint alleges that Sunshine Behavioral Health’s (Sunshine) cloud-based storage bucket hosted on Amazon Web Services (AWS S3) was misconfigured and resulted in a number of patient records being exposed in September 2019. Although Sunshine responded and secured the data, it did not report the data breach to the Office of Civil Rights, the federal authority charged with HIPAA compliance.
Although the CCPA and HIPAA have similar premises that data holders of personal information must take appropriate precautions to store, transmit and not disclose this PII/PHI, the two laws have slightly different definitions and nuances. One of these differences is that HIPAA provides very technical guidance regarding what constitutes “reasonable security procedures and practices”. CCPA on the other hand does not define “reasonable security procedures and practices”, though informally, the California Attorney General has cited international technical standards such as NIST and CIS in past statements.
Many businesses that are subject to CCPA or HIPAA will wait anxiously to see the court’s interpretation of the laws and their intersection. Cloud-based services have become the standard in many industries and for many platforms. Use this opportunity to ensure that any contracts with cloud-based providers have the necessary protections in the event of a data breach. Also consider cyber liability insurance for your own business that includes third-party liability coverage to help cover losses resulting from a data breach. Finally, ensure your business has a corporate data security plan and incident response plan in place; this is imperative whether you are subject to HIPAA, CCPA or other data privacy laws which now exist in every state.
Brouse McDowell has a team of health care, cyber security, and insurance recovery attorneys who can help you in one or all of these areas. If you have questions about your contracts, your HIPAA compliance, CCPA or other data security compliance, or your cyber insurance coverage, please reach out to us for further guidance.
1 Fuentes v. Sunshine Behavioral Health, LLC, U.S. District Court, Central District of California, Case No. 8:20-cv-00487.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2022 Brouse McDowell. All rights reserved.